Skip to content

name_to_handle_at is gated by CAP_SYS_ADMIN and not CAP_DAC_READ_SEARCH as documented #45518

Closed
#45766
Closed
name_to_handle_at is gated by CAP_SYS_ADMIN and not CAP_DAC_READ_SEARCH as documented#45518
#45766
Labels
area/docsarea/securityarea/security/seccompexp/beginnerkind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.status/0-triageversion/20.10
@peterwaller-arm

Description

@peterwaller-arm
peterwaller-arm
opened on May 11, 2023

Description

The docs state:

https://docs.docker.com/engine/security/seccomp/
name_to_handle_at | Sister syscall to open_by_handle_at. Already gated by CAP_DAC_READ_SEARCH.

But the profile does not include this syscall in the CAP_DAC_READ_SEARCH, forcing use of CAP_SYS_ADMIN if you need this syscall.

moby/profiles/seccomp/default.json

Lines 580 to 588 in e58c267

"names": [
"open_by_handle_at"
],
"action": "SCMP_ACT_ALLOW",
"includes": {
"caps": [
"CAP_DAC_READ_SEARCH"
]
}

Consequently the syscall fails with EPERM (errno -1).

Reproduce

N/A

Expected behavior

It should be possible to enable this syscall with docker run --cap-add CAP_DAC_READ_SEARCH.

docker version

20.10.23 and e58c267d66cd9c8fc89c582047b22158c9d44db8.

docker info

N/A

Additional Info

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/docsarea/securityarea/security/seccompexp/beginnerkind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.status/0-triageversion/20.10

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions